[Samba] No symlink support on SMB2 and SMB3?

[Markus Doits]

Hello,

I am using Samba version 4.2.0rc4-GIT-4701d74.

When using a connection in protocol smb2 or smb3, the unix client says
symlinks are not supported, for example:

# mount //ip.addr/Programs ./tmp -o vers=3.0
# cd tmp
# ln -s bla blub
ln: failed to create symbolic link ‘blub’: Operation not supported

# mount
//ip.addr/Programs on /mnt/tmp type cifs
(rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=markus,domain=OFFICE,uid=0,noforceuid,gid=0,noforcegid,addr=ip.addr,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1,user=markus)

I suspect it is because unix extensions are off (there is always
"nounix" written in the mount output).
I tried the config option "unix extensions = yes" explicitly (should be
the default), but no change unfortunately.

I also experimented with the "allow insecure wide links" options and
similar candidates but had no luck to enable symbolic links (but maybe I
missed the right combination?).

When connecting with default NT1 protocol symbolic links work as expected.

Are symbolic links not supported in newer protocols anymore or am I
missing some configuration options?

Markus

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Miguel Medalha]

I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.

Following the smb.conf man page, I use:

unix extensions = no
wide links = yes

[Miguel Medalha]

The smb.conf man page explains it all:

wide links (S)

This parameter controls whether or not links in the UNIX file system may
be followed by the server. Links that point to areas within the directory
tree exported by the server are always allowed; this parameter controls
access only to areas that are outside the directory tree being exported.

Note: Turning this parameter on when UNIX extensions are enabled will
allow UNIX clients to create symbolic links on the share that can point
to files or directories outside restricted path exported by the share
definition. This can cause access to areas outside of the share. Due to
this problem, this parameter will be automatically disabled (with a
message in the log file) if the unix extensions option is on.

See the parameter allow insecure wide links if you wish to change this
coupling between the two parameters.

Default: wide links = no

[Jeremy Allison]

On Fri, Jan 23, 2015 at 12:07:31PM +0100, Markus Doits wrote:
> Hello,
>
> I am using Samba version 4.2.0rc4-GIT-4701d74.
>
> When using a connection in protocol smb2 or smb3, the unix client says
> symlinks are not supported, for example:
>
> # mount //ip.addr/Programs ./tmp -o vers=3.0
> # cd tmp
> # ln -s bla blub
> ln: failed to create symbolic link ‘blub’: Operation not supported
>
> # mount
> //ip.addr/Programs on /mnt/tmp type cifs
> (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=markus,domain=OFFICE,uid=0,noforceuid,gid=0,noforcegid,addr=ip.addr,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1,user=markus)
>
> I suspect it is because unix extensions are off (there is always
> "nounix" written in the mount output).
> I tried the config option "unix extensions = yes" explicitly (should be
> the default), but no change unfortunately.
>
> I also experimented with the "allow insecure wide links" options and
> similar candidates but had no luck to enable symbolic links (but maybe I
> missed the right combination?).
>
> When connecting with default NT1 protocol symbolic links work as expected.
>
> Are symbolic links not supported in newer protocols anymore or am I
> missing some configuration options?

POSIX-style symlinks are not supported in SMB2, the POSIX
varient of this protocol hasn't been specified (yet).

[Jeremy Allison]

On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:

>
> On 23.01.15 19:57, Miguel Medalha wrote:
> > I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> >
> > Following the smb.conf man page, I use:
> >
> > unix extensions = no
> > wide links = yes
> >
> >

> Unfortunately this still does not work for me - can you really make a
> symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> "smbstatus" really show smb2/3 connection?

No you can't - the protocol doesn't support it.

[Markus Doits]

On 23.01.15 19:57, Miguel Medalha wrote:

> I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
>
> Following the smb.conf man page, I use:
>
> unix extensions = no
> wide links = yes
>
>

Unfortunately this still does not work for me - can you really make a
symbolic link ("ln -s ...") when you are connected with smb2/3? Does
"smbstatus" really show smb2/3 connection?

[Ralph Böhme]

On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
> On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
> >
> > On 23.01.15 19:57, Miguel Medalha wrote:
> > > I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> > >
> > > Following the smb.conf man page, I use:
> > >
> > > unix extensions = no
> > > wide links = yes
> > >
> > >
> > Unfortunately this still does not work for me - can you really make a
> > symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> > "smbstatus" really show smb2/3 connection?
>
> No you can't - the protocol doesn't support it.

iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
implement it (yet). :)

-Ralph

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kon...@sernet.de

[Markus Doits]

On 23.01.15 22:16, Ralph Böhme wrote:
> On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
>> On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
>>> On 23.01.15 19:57, Miguel Medalha wrote:
>>>> I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
>>>>
>>>> Following the smb.conf man page, I use:
>>>>
>>>> unix extensions = no
>>>> wide links = yes
>>>>
>>>>
>>> Unfortunately this still does not work for me - can you really make a
>>> symbolic link ("ln -s ...") when you are connected with smb2/3? Does
>>> "smbstatus" really show smb2/3 connection?
>> No you can't - the protocol doesn't support it.

Oh - that makes me really sad :-(

> iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
> implement it (yet). :)

So in essence this means: Stay at NT1 if you need symlinks? (And wait
until "IO_REPARSE_TAG_SYMLINK" is implemented?)

Just that you know: I'm trying to have home shares on the network, and
sometimes users need symlinks (in some osx .apps or when installing some
ruby gems). I'm using samba because it should also work with OSX.

[Jeremy Allison]

On Fri, Jan 23, 2015 at 10:16:34PM +0100, Ralph Böhme wrote:
> On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
> > On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
> > >
> > > On 23.01.15 19:57, Miguel Medalha wrote:
> > > > I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> > > >
> > > > Following the smb.conf man page, I use:
> > > >
> > > > unix extensions = no
> > > > wide links = yes
> > > >
> > > >
> > > Unfortunately this still does not work for me - can you really make a
> > > symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> > > "smbstatus" really show smb2/3 connection?
> >
> > No you can't - the protocol doesn't support it.
>
> iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
> implement it (yet). :)

I meant (as I'm sure you know :-) that there's no "POSIX
extensions" defined for SMB2 :-).

We don't do *any* of the reparse point stuff yet (no demand
as I recall it's Admin only on Windows).

[Jeremy Allison]

On Fri, Jan 23, 2015 at 10:23:15PM +0100, Markus Doits wrote:
>
> On 23.01.15 22:16, Ralph Böhme wrote:
> > On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
> >> On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
> >>> On 23.01.15 19:57, Miguel Medalha wrote:
> >>>> I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> >>>>
> >>>> Following the smb.conf man page, I use:
> >>>>
> >>>> unix extensions = no
> >>>> wide links = yes
> >>>>
> >>>>
> >>> Unfortunately this still does not work for me - can you really make a
> >>> symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> >>> "smbstatus" really show smb2/3 connection?
> >> No you can't - the protocol doesn't support it.
> Oh - that makes me really sad :-(
> > iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
> > implement it (yet). :)
> So in essence this means: Stay at NT1 if you need symlinks? (And wait
> until "IO_REPARSE_TAG_SYMLINK" is implemented?)
>
> Just that you know: I'm trying to have home shares on the network, and
> sometimes users need symlinks (in some osx .apps or when installing some
> ruby gems). I'm using samba because it should also work with OSX.

Well there's a workaround called "Minshall/French" symlink format:

https://lists.samba.org/archive/samba-technical/2014-September/102476.html

that hides the symlink target inside a 'special' file. That
should still work over SMB2, but it's tunnelling stuff inside
the protocol, not really protocol support.

It's what the Linux CIFS client uses when it has to do
symlinks against a Windows server which doesnt' support
the UNIX extensions.

[Markus Doits]

This looks good - can I enable/force them on the server or must it be
enabled by every client explicitly by the mount option?

[Jeremy Allison]

On Fri, Jan 23, 2015 at 10:47:22PM +0100, Markus Doits wrote:
> > Well there's a workaround called "Minshall/French" symlink format:
> >
> > https://lists.samba.org/archive/samba-technical/2014-September/102476.html
> >
> > that hides the symlink target inside a 'special' file. That
> > should still work over SMB2, but it's tunnelling stuff inside
> > the protocol, not really protocol support.
> >
> > It's what the Linux CIFS client uses when it has to do
> > symlinks against a Windows server which doesnt' support
> > the UNIX extensions.
> This looks good - can I enable/force them on the server or must it be
> enabled by every client explicitly by the mount option?

It's all client controlled - otherwise it wouldn't work
against a Windows server (which has no symlink knowledge).

[Ralph Böhme]

On Fri, Jan 23, 2015 at 01:20:05PM -0800, Jeremy Allison wrote:
> On Fri, Jan 23, 2015 at 10:16:34PM +0100, Ralph Böhme wrote:
> > On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
> > > On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
> > > >
> > > > On 23.01.15 19:57, Miguel Medalha wrote:
> > > > > I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> > > > >
> > > > > Following the smb.conf man page, I use:
> > > > >
> > > > > unix extensions = no
> > > > > wide links = yes
> > > > >
> > > > >
> > > > Unfortunately this still does not work for me - can you really make a
> > > > symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> > > > "smbstatus" really show smb2/3 connection?
> > >
> > > No you can't - the protocol doesn't support it.
> >
> > iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
> > implement it (yet). :)
>
> I meant (as I'm sure you know :-) that there's no "POSIX
> extensions" defined for SMB2 :-).
>
> We don't do *any* of the reparse point stuff yet (no demand
> as I recall it's Admin only on Windows).

hm. Inferring from `git grep IO_REPARSE_TAG_SYMLINK` it seems
smbclient does support it by virtue of the "symlink"
command. Unfortunately I can't test against OS X SMB2 server atm,
because once again I'm getting strange authenticaton errors.

-Ralph

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kon...@sernet.de

[Jeremy Allison]

On Mon, Jan 26, 2015 at 10:54:58AM +0100, Ralph Böhme wrote:
> On Fri, Jan 23, 2015 at 01:20:05PM -0800, Jeremy Allison wrote:
> > On Fri, Jan 23, 2015 at 10:16:34PM +0100, Ralph Böhme wrote:
> > > On Fri, Jan 23, 2015 at 01:08:31PM -0800, Jeremy Allison wrote:
> > > > On Fri, Jan 23, 2015 at 10:05:44PM +0100, Markus Doits wrote:
> > > > >
> > > > > On 23.01.15 19:57, Miguel Medalha wrote:
> > > > > > I am using Samba 4.1.16 with smb2/3 and symbolic links are working alright.
> > > > > >
> > > > > > Following the smb.conf man page, I use:
> > > > > >
> > > > > > unix extensions = no
> > > > > > wide links = yes
> > > > > >
> > > > > >
> > > > > Unfortunately this still does not work for me - can you really make a
> > > > > symbolic link ("ln -s ...") when you are connected with smb2/3? Does
> > > > > "smbstatus" really show smb2/3 connection?
> > > >
> > > > No you can't - the protocol doesn't support it.
> > >
> > > iirc it does, with an IO_REPARSE_TAG_SYMLINK ioctl. We just don't
> > > implement it (yet). :)
> >
> > I meant (as I'm sure you know :-) that there's no "POSIX
> > extensions" defined for SMB2 :-).
> >
> > We don't do *any* of the reparse point stuff yet (no demand
> > as I recall it's Admin only on Windows).
>
>
> hm. Inferring from `git grep IO_REPARSE_TAG_SYMLINK` it seems
> smbclient does support it by virtue of the "symlink"
> command. Unfortunately I can't test against OS X SMB2 server atm,
> because once again I'm getting strange authenticaton errors.

Nope - the "symlink" command in smbclient just does the UNIX
extensions call.

[Jeremy Allison]

Ignore me, I'm wrong :-). My original smbclient code just
did the UNIX extensions call, but it looks like busy little
fingers have added the FSCTL_SET_REPARSE_POINT call since then :-).